Last Updated Jul 2011
The Health Insurance Portability and Accountability Act, or HIPAA, was enacted by Congress in 1996 and marks a significant turning point in healthcare services in the United States. Overall, HIPAA serves two main functions: to protect healthcare coverage for individuals and regulate the availability of individual and group health insurance plans; and to ensure patient privacy and prevent healthcare fraud and abuse.
What Purpose Does HIPAA Serve?
As healthcare professionals we have access to a significant amount of personal information about our patients, so it is important to have a clear understanding of HIPAA policy and procedure in order to safeguard the rights of those in our care. HIPAA regulations mandate the protection of patient information—referred to, aptly, as protected health information, or PHI—and prohibit caregivers from disclosing such information unless certain criteria are met.
What Exactly Is Considered PHI?
By definition PHI includes “all ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.” (U.S. Dept. of Health and Human Services, Summary of the HIPAA Privacy Rule, 2010). Information considered PHI includes:
• Name of patient/relatives/employer
• Address
• Birth date
• Photographs
• Telephone/fax number
• E-mail address
• Social Security number
• Medical record/account number
• Health plan beneficiary number
• Certificate/license number
• Vehicle or other device serial number
• Any other unique identifier
When Can PHI Be Disclosed?
PHI cannot be used or disclosed to anyone unless the Privacy Rule permits or the patient gives authorization in writing. Healthcare providers may use and disclose PHI only for treatment (including providing actual healthcare services; coordinating and managing patient care; and providing referrals and referral sources), payment (including payment for services; eligibility determinations including Medicare and Medicaid; activities related to utilization reviews; and any type of productivity reports containing patient information), and healthcare operations, which includes quality assurance issues; efficiency and cost-of-care functions; training, accreditation and certification; evaluation of healthcare provider skills, performance and qualifications; medical reviews; auditing; and business planning.
What Is the Employer’s Responsibility?
Employers must provide training to all employees regarding the company’s policies and procedures related to the use and disclosure of PHI as well as the security of electronic protected health information, or ePHI. Each new team member should be trained during the orientation process—including volunteers and students—as well as those whose job functions are impacted by changes made to policies and procedures. Under the HIPAA Security Rule, issued in February 2003, an organization must establish and maintain certain security measures to ensure appropriate protection of PHI and ePHI:
Administrative Safeguards must include actions, policies, and procedures implemented to meet the security standards. Under HIPAA a covered entity must:
• Designate a Privacy Officer
• Designate a contact person or office to receive complaints & provide further information
• Provide training to all workforce members
• Develop and apply a sanction policy
• Implement policies and procedures designed to comply with HIPAA standards
• Develop and conduct a security awareness training program for all employees
Physical Safeguards must be implemented to protect ePHI from unauthorized disclosure, modification, or destruction. This includes creating policies and procedures for facility access controls, workstation use and security, offsite equipment use, and device and media controls.
Technical Safeguards are required to “protect electronic protected health information and control access to it”. Technical safeguards include implementation of access control measures, audit controls, and transmission security measures.
Finally, Organizational Requirements are mandated to address business associate contracts and requirements for group health plans, while Policies and Procedures and Documentation Requirements focus on the creation, documentation, review and maintenance of policies and procedures.
For more information on HIPAA policy and procedure, including how to ensure HIPAA compliance in your role as a therapy provider as well as the ‘Red Flags Rule’ established by the Federal Trade Commission, view our comprehensive course The HIPAA Privacy Rule: Patient Services and Marketing.

We are the leaders in providing interactive, online continuing education to the long-term healthcare industry. Our success is built on four key underpinnings.
Click here for more articles by Care2Learn.